--- title: "How to Secure Your WordPress Website for Free" description: "Almost one in every three websites you visit is powered by WordPress. WordPress is generally a secure platform, but if anyone is able to exploit its weaknesses, a third of the internet might be in trouble. Not to mention those websites' users." image: "https://images.ctfassets.net/lzny33ho1g45/wordpress-security-plugins-p-img/208857ab02e7f6193991757e4d18c640/file.png" --- # How to Secure Your WordPress Website for Free Almost one in every three websites you visit is powered by WordPress. WordPress is generally a secure platform, but if anyone is able to exploit its weaknesses, a third of the internet might be in trouble. Not to mention those websites' users. Almost one in every three websites you visit is [powered by WordPress](https://w3techs.com/). WordPress is generally a secure platform, but if anyone is able to exploit its weaknesses, a third of the internet might be in trouble. Not to mention those websites' users. As the founder of a web design agency, I've built and managed many websites—including six of my own—using WordPress. And as a consumer, I understand the value of security when I provide personal information online. In order to keep your WordPress site secure, you'll want to go the extra mile: Keep your site updated, use [plugins](https://zapier.com/blog/uninstall-wordpress-plugin/) to prevent attacks, and back up your site consistently. There are services that will do all this for you, but there are also ways to keep your site secure without spending a dime. ## Keep Your Site Updated WordPress itself consistently releases new versions, as do most [WordPress plugins](https://zapier.com/blog/best-wordpress-plugins/) and themes. While some updates are released to fix a bug or add a new feature, others address potential security risks. If your site isn't updated, it becomes more vulnerable to an attack. WordPress releases updates sporadically—there were [22 total updates in 2017](https://wordpress.org/news/category/releases/)—and the frequency of plugin and theme updates will vary based on the developer. Regardless, it's best practice to check for updates regularly. ### How to update your site, themes, and plugins WordPress will automatically update your site for minor security releases, but unless you use a plugin, [there's some code involved](https://codex.wordpress.org/Configuring_Automatic_Background_Updates) in making sure your whole site—themes and plugins included—is always up to date. [Easy Updates Manager](https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/) is the top-rated automatic update plugin, and over 100,000 websites are actively using it as a set-it-and-forget-it way of ensuring that their site is updated. Here's how it works: 1. Once Easy Updates Manager is installed, click _Update Options_ in the WordPress left-hand navigation menu. 2. 3. There, you can enable updates on your website. If you'd rather have control over which updates you receive, you can also do the process manually. 1. Log in to your site and click _Updates_ in the left-hand navigation menu. 2. 3. On the Updates page, select which themes and plugins to update. You can also update WordPress itself if there's an update available. ### How to check the changelogs for your site, themes, and plugins You'll also want to check the changelogs for each release to get information on what was included in the update—specifically, whether the update was released to address a security issue. Details on the latest WordPress releases can be found on the [WordPress news site](https://wordpress.org/news/category/releases/), but finding the changelogs for your plugins and themes is more difficult. Sometimes it's not available at all: It will depend on the specific plugins and themes your site uses and if the developers have decided to publish this information. Here's how to check for details on your plugins' updates: 1. Go to the Plugins page and click _View details_ next to the plugin you want to check. 2. 3. From there, an information box will pop up with details about that plugin. Often, developers will include a _Changelog_ tab that you can click to view details on the plugin's past releases. 4. 5. If this box doesn't include a specific tab for the plugin's changelog, check the plugin description. Some developers will include a link to the changelog there. A similar process can be used to check the changelogs for your themes. Go to the Themes page and hover over the theme you'd like to check. Click _Theme Details_. In most cases, you'll need to navigate to the theme developer's website to find the changelog. When it comes down to it, clicking update and then moving right along isn't the end of the world. But really _understanding_ the updates you're installing will give you a better sense of how secure your site is. ## Use Plugins to Prevent Attacks Any website is vulnerable to an attack, but there are common types of attacks on WordPress sites that we'll run through before suggesting some plugins to help prevent these attacks. **Brute force attacks** Even when your site is up-to-date, there are still back doors for hackers. In fact, there are sometimes even front doors: your log in information. Brute force attacks—where someone logs in using your information—are more common than you'd think: Sometimes there are [tens of thousands of attacks a day](https://codex.wordpress.org/Brute_Force_Attacks). **SQL injections** These types of attacks generally occur when a hacker uses an input field on your site to input harm-causing SQL (a database language). The hacker can then access your database, messing with your site and users' information and even making themselves administrators of your site. **File inclusions** File inclusion attacks occur due to vulnerabilities in your WordPress site's PHP code. File inclusions can be used to load remote files into your WordPress installation, allowing the hacker to control your site. **Malware** Malware is a malicious script installed to your website with the goal of stealing sensitive data—personal information, credit card numbers, etc.—from you or your visitors. The scariest part? Your site may be infected with malware without you realizing. Using these attacks, there are countless things a hacker could do to your website: make changes that reflect poorly on you, steal user information, delete your site—you name it. Hackers can even [hold a site ransom](https://www.theguardian.com/technology/2015/feb/03/hackers-websites-ransom-switching-encryption-keys), forcing you to pay to regain access to your website. ### The best WordPress security plugins Developers can increase security on their websites via code. But for the rest of us, the simplest way to implement additional security protocols is via a WordPress plugin. Security plugins will include the following features: - **Firewall protection.** This feature will help identify and block malicious web traffic. - **Brute force attack protection.** This feature will allow you to change the default login page of your website so that hackers won't be able to easily find it. You'll also be able to limit the number of login attempts on your site and enforce strong passwords. - **Malware scanning.** This feature will help you identify if there's malware on your site. Some plugins may even be able to delete this malware by replacing your site's files with a previous version. - **File change detection.** This feature will identify any unexpected changes to files on your website; i.e., ones you didn't make yourself. We'll take a look at the two most popular security plugins to show you how they work. **Wordfence Security - Firewall & Malware Scan** [Wordfence](https://wordpress.org/plugins/wordfence/) is the most popular security plugin (with over a million websites using it) likely because of its simple dashboard. At a glance, you can see how well protected your site is. The _Firewall_ and _Scan_ percentages are calculated based on how many of Wordfence's security features you have set up. By hovering over these icons, Wordfence will display a pop-up that indicates additional steps you can take to improve your site security. And that little _Notifications_ box lets you know how many potential security issues Wordfence has found on your website. The scan itself can be set to run automatically to check file changes and to search your site for malware. Further down, you'll find information on the number of potential attacks that Wordfence has blocked. To make things even simpler, Wordfence offers email notifications regarding potential issues. For example, an email notification is sent to your inbox immediately after someone logs in to your WordPress backend. If it wasn't you, then you know you may have been hacked. Other email alerts can be enabled to tell you when someone is locked out from logging into your site, when a visitor from a bad IP address has been blocked, or when files have been changed. **Wordfence pricing:** Free; premium version available, which includes added security measures such as two-factor authentication **All in One WP Security & Firewall** [All in One WP Security](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) is transparent in its user experience: All of its settings appear in the WordPress left-hand navigation menu. Above each security setting, it displays a text box to describe what that setting does and how it works to secure your site, making is easy even for the security amateurs. On top of the standard security features, All in One WP Security also features a _Maintenance_ mode that allows you to display a custom message when you're working on the site. That way you can keep your site secure without upsetting or confusing potential visitors during the outage. **All in One WP Security & Firewall pricing:** Free ## Back Up Your Site One of the major concerns of an attack is that your entire website could be deleted. Just like that, your site—along with all its data—would be gone. But if you run regular backups, you can bring it back to life with just a few clicks. It's possible to back up your site manually using the Export tool. In the WordPress navigation menu, hover over tools and click _Export_. Then, on the Export page, choose the option for _All Content_ and click _Download Export File_. Once you've downloaded the file, you can later import it back into a new WordPress installation. Some people prefer to have more control over their security—in which case, exporting is the way to go—but if you feel comfortable relying on a third party, WordPress offers a plugin that'll do the dirty work for you. ### UpdraftPlus With [UpdraftPlus](https://wordpress.org/plugins/updraftplus/), you can back up your site at any time by going to the plugin dashboard page and clicking _Backup Now_, or you can set automatic routine backups. Automatic backups can be set to run every 4 hours, 8 hours, or 12 hours or daily, weekly, bi-weekly, or monthly. If your site is mostly for marketing and isn't updated much, the monthly option should do the trick. But if you're adding or changing data regularly—e.g., receiving orders from customers—you'll want to choose the daily option, if not one of the hourly options. The backups are stored either on your server or in your preferred cloud storage account like Dropbox or Google Drive. It's all automated, and you can choose how many backups you want to keep stored at any given time. Once you reach that number, it will automatically delete the previous versions. So if something happens to your website that can't be fixed—due to an attack or otherwise—you won't lose your site or its data. Instead, you'll just delete your entire WordPress site and install a new one. Then install UpdraftPlus, upload the backup files, and the website will be restored to whatever it was at the last backup (all by clicking _Restore_ in the UpdraftPlus dashboard). **UpDraft Plus pricing:** Free with feature add-ons available to purchase --- Whether you're hosting a portfolio for your freelancing business or you're collecting the personal information of thousands of visitors to an e-commerce site, you need to keep your site secure. It's better to take precaution now than risk catastrophe down the road.